Layer7 API Management

Expand all | Collapse all

Restrict Service Access to a specific port

Jump to Best Answer
  • 1.  Restrict Service Access to a specific port

    Posted 06-27-2017 02:33 AM

    Hi,

     

     Can we allow access of a service, through Gateway, only at a specific custom port (not the default 8443 one) ?

     

    Thanks,

    Siddharth



  • 2.  Re: Restrict Service Access to a specific port

    Posted 06-27-2017 03:04 AM

    Hello Siddharth,

     

    If I understand your question correctly then you want a service to be accessed at a specific port and not 8443.

     

    So first you have to open a custom port on the gateway and Load balancer

    and in the policy, you have to add a compare expression that compares the port and then start the execution of the policy.

    So at the beginning, you need to add compare assertion using ${request.tcp.listenPort} is equal to your custom port such as 8444  then you can add if else logic if the port is not equal to your custom port you can stop it.

     

     

    Please correct me if I am wrong

     

     

    Thank you



  • 3.  Re: Restrict Service Access to a specific port

    Posted 06-27-2017 10:29 AM

    Hello SIDDHARTHJAISWAL

     

    Have a review of the following doc link.  In particular you can associate an interface with a specific service.  have a look under 'Configuring the [Advanced] Tab' and 'Associate port with single published service'.  Typically this feature is used to provide some sort of custom resolution but it might work in your case. 

     

    https://docops.ca.com/ca-api-gateway/9-2/en/security-configuration-in-policy-manager/tasks-menu-security-options/manage-listen-ports/listen-port-properties#ListenPortProperties-Configuringthe[OtherSettings]Tab

     

    Regards

    Christopher Clark

    CA Support



  • 4.  Re: Restrict Service Access to a specific port
    Best Answer

    Posted 06-27-2017 10:29 AM

    Hi Siddharth

     

    You do need to create a new port within the listener port as Irfan stated, but there is another step that i would do and here it is:

     

     

    Click Advanced and make sure you allow the specific service that you want to expose on this port.  The compare expression isn't needed for this service.  We have the ability to open up a port and allow all services to be published on this port or a specific service.

     

    hope this helps.

     

    Derek